[CentOS-devel] Checking signed repo metadata by default?

Thu Jan 5 13:32:24 UTC 2017
Karanbir Singh <mail-lists at karan.org>

On 05/01/17 09:22, Laurentiu Pancescu wrote:
> Hi there,
> 
> I stumbled upon an older post by Johnny Hughes about gpg-checking the
> repository metadata. [1]  In the mean time, we seem to have signed
> metadata not only for "updates", but also for "base", "extras" and
> "centosplus" (just the "base" signature for CentOS Linux 6 is missing).
> 
> What are the reasons for not enabling the repo gpg check in our default
> installation?  Would it be a bad idea to do that in our Vagrant images?

if all the metadata is now signed, the corresponding centos-release can
carry the gpgcheck enabled.

as a distro flag - this is a huge change. We just need to make sure (
quantify ? ) that we dont break existing installs. In most cases, this
is just a case of orchestrating it right ( ie, maybe centos-release with
the enabled flag needs to the staged out, in a way that only people with
all the repos signed are going to see this new file, and do it as a
second cycle ).

Regards

-- 
Karanbir Singh
+44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
GnuPG Key : http://www.karan.org/publickey.asc